A new series of cyber attacks conducted by Chinese hackers targeted the US media, it seems that the responsible is the same group that hit New York Times’ network late 2012, this time using improved versions of malware.
In 2012 the attacks occurred in concomitance with the investigation of the journal, published on Oct. 25th, that revealed that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings. On Oct. 25th the AT&T informed The Times journal of suspect activities related ongoing attacks believed to have been perpetrated by the Chinese military.
Jill Abramson, executive editor of The Times declared:
“Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied,”
The news on new attacks has been published on a blog post by FireEye security firm, the hackers after the disclosure of details on the data breach suspended their activities early 2013.
Security firm FireEye detected new variants of the malware during the investigation on a cyber attack against an organization involved in shaping economic policy, the hackers behind the attack against the NYT deployed updated versions of the Backdoor.APT.Aumlib and Backdoor.APT.Ixeshe malware families in May.
Security researchers believe that Chinese hackers are involved in a large-scale cyber espionage operation that hit also US media, the malicious code used are newer versions of Aumlib and Ixeshe malware.
The technical threat intelligence team discovered that the actual version of Aumlib encodes certain HTTP communications, the malware is well known by security experts that detected it in various targeted attacks in the past.
Aumlib has been adopted in targeted attacks for years, the previous variants of this malware family generated the following POST request:
POST /bbs/info.asp HTTP/1.1
Sending data via this POST request in clear text with the following structure:
<VICTIM BIOS NAME>|<CAMPAIGN ID>|<VICTIM EXTERNAL IP>|<VICTIM OS>|
Recently FireEye experts downloaded a new variant from the following URL:
status[.]acmetoy[.]com/DD/myScript.js or status[.]acmetoy[.]com/DD/css.css
From the above traffic is possible to note the improvement operated by hackers:
Despite the changes appears minor they could be sufficient to evade defensive measurement against the malware.
The improvements for the version of Ixeshe used by Chinese hackers is related to the use of a new network traffic patterns to evade traditional network security systems.
The network traffic for Ixeshe early versions is encoded with a custom Base64 alphabet, the URI pattern has been largely consistent:
/[ACD] [EW]S[Numbers].jsp?[Base64]
Analyzing a recent sample that targeted entities in Taiwan FireEye team noted that the sample has totally different traffic pattern sufficient to evade classic network traffic signature based defense systems..
“The Base64-encoded data still contains information including the victim’s hostname and IP address but also a “mark” or “campaign tag/code” that the threat actors use to keep track of their various attacks. The mark for this particular attack was [ll65].”
A curious particular related to both families of malware detected is that they weren’t updated at least in last 12 months, Aumlib had not changed since at least May 2011 meanwhile Ixeshe had not been improved since at least December 2011.
The discovery of FireEye expert is considerable very important because it highlights a new change in the techniques, tactics, or procedures (TTPs) of Chinese hackers, this means the group is continuing the cyber espionage campaign discovered months ago.
“The most successful threat actors evolve slowly and deliberately. So when they do change, pay close attention.
Knowing how attackers’ strategy is shifting is crucial to detecting and defending against today’s advanced threats. But knowing the “why” is equally important. “
Pierluigi Paganini
(Security Affairs Chinese hackers, cyber espionage)